Import jemalloc-5.3.1 (previous was 5.3.0)
This release includes over 390 commits spanning bug fixes, new features,
performance optimizations, and portability improvements. Multiple percent
of system-level metric improvements were measured in tested production
workloads. The release has gone through large-scale production testing
at Meta.
New features:
Support pvalloc. (@Lapenkov: 5b1f2cc)
Add double free detection for the debug build. (@izaitsevfb:
36366f3, @guangli-dai: 42daa1a, @divanorama: 1897f18)
Add compile-time option --enable-pageid to enable memory mapping
annotation. (@devnexen: 4fc5c4f)
Add runtime option prof_bt_max to control the max stack depth for
profiling. (@guangli-dai: a0734fd)
Add compile-time option --enable-force-getenv to use getenv instead
of secure_getenv. (@interwq: 481bbfc)
[129 lines not shown]
graphics/feh: update to 3.12.1
Mon, 06 Apr 2026 21:47:59 +0200 Birte Friesel <derf+feh at finalrewind.org>
* Release v3.12.1
* Update tests to reflect the %f/%F changes implemented in v3.12
Mon, 06 Apr 2026 11:13:12 +0200 Birte Friesel <derf+feh at finalrewind.org>
* Release v3.12
* Disallow %f and %n format specifiers in --action and --info strings;
abort with an error message if those are encountered. Use %F and %N
instead. Rationale: %f and %n do not escape shell-specific syntax and
are thus a security risk when passing untrusted file names to feh. %F and
%N, which have been available since v2.3 (Feb 2012), do escape
shell-specific syntax. Migration path: Replace %f (or '%f') and %n (or
'%n') with %F and %N (without '') in --action and --info commands.
Reported by Paavan Bagla, Archit Goyal, Michael Hurtado, Venkat Nallam,
and Jaden Wang <https://github.com/derf/feh/issues/821>.
[9 lines not shown]
pmap: move userland xtab activate/deactivate into pmap_md_asid{,de}activate
pmap_segtab_{,de}activate() no longer calls pmap_md_xtab_{,de}activate()
Instead move the calls into
- pmap_tlb_asid_acquire()
- pmap_tlb_asid_deactivate()
respectively.
Rename xtab to asid at the same time so that the functions are now named
pmap_md_asid_{,de}activate(), and are provided as static inline to improve
code size.
On arm32 and aarch64 TTBR0 is disabled for the entire time that a userland
process in not pmap_activate()ed and only ever enabled if a userland
process is pmap_activate()ed. This results in less twiddling of the disable
bit, and no speculation window there incorrect TTBR0 walks can occur.
The last part makes GENERIC64_PMAPMI stable on Fusion on an M4 laptop.
libxmlb: update to 0.3.26.
Version 0.3.26
~~~~~~~~~~~~~~
Released: 2026-04-14
New Features:
- Parse CDATA as text (Milan Crha)
Bugfixes:
- Add bounds check to prevent OOB read in token index lookup (Richard Hughes)
- Do not write an invalid silo when more than 63 attrs on one node (Richard Hughes)
- No inotify for illumos and Solaris (Marcel Telka)
- Prevent stack overflow from unbounded recursion in export (Richard Hughes)
libsixel: update to 1.8.7r1.
Security fix for CVE-2026-33023 (GHSA-hr25-g2j6-qjw6), use-after-free in load_with_gdkpixbuf().
Thanks to @nicoppida
Security fix for CVE-2026-33018 (GHSA-w46f-jr9f-rgvp), use-after-free in load_gif().
Thanks to @nicoppida
Security fix for CVE-2026-33019 (GHSA-c854-ffg9-g72c), integer overflow that leads to out-of-bounds read in img2sixel.
Thanks to @nicoppida
Security fix for CVE-2026-33020 (GHSA-2xgm-4x47-2x2p), integer overflow in write_png_to_file() that leads to heap overflow.
Thanks to @nicoppida
Security fix for CVE-2026-33021 (GHSA-j6m5-2cc7-3whc), use-after-free in sixel_encoder_encode_bytes().
Thanks to @nicoppida
Security fix for #222, out-of-bounds memory access in packed pixel format copy path.
Thanks to @xyzzy42
[12 lines not shown]
*cups*: update to 2.4.17
Changes in CUPS v2.4.17 (2026-04-17)
------------------------------------
- CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive.
- CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
directory.
- CVE-2026-34980: The scheduler did not filter control characters from option
values.
- CVE-2026-34979: The scheduler did not always allocate enough memory for a
job's options string.
- CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
loopback interface.
- CVE-2026-39314: Fixed the range check for job password strings.
- CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
- CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends.
- The scheduler followed symbolic links when cleaning out its temporary
[28 lines not shown]
jsongrep: update to 0.9.0.
What's Changed
feat: add first github pages playground by @thomas9911 in #31
refactor(cli): --porcelain flag, make --count/ --depth mutually exclusive, --depth with query by @micahkepe in #32
jjui: update to 0.10.3.
This release includes new Lua customisation support, repo-local
configuration, preview sizing improvements, and a set of UI fixes.
There were also some internal changes around action routing and
rendering, so if something feels broken or behaves differently,
please let me know.
www/ruby-propshaft: update to 1.3.2
1.3.2 (2026-04-17)
What's Changed
* Add charset=utf-8 to Content-Type for CSS and HTML assets by @flavorjones
in #264
New Contributors
* @flavorjones made their first contribution in #265
